Suggestion for how to add docker compose network to whitelist

Users Dgraph
1

In case anyone is trying to use docker compose and being blocked from doing admin commands, this solution has worked for me:

#!/usr/bin/env bash

set -e

RUNNING_DGRAPH_CONTAINERS=$(docker-compose ps -q 2>/dev/null | wc -l)

# dgraph only accepts admin REST requests from whitelisted IP's, hence the added
# complexity of explicit docker networks and IP address fetching.

if [ "$RUNNING_DGRAPH_CONTAINERS" -ne 3 ]; then
	docker network create dgraph_dev || true
	WHITELISTED=$(docker network inspect dgraph_dev | jq '.[0].IPAM.Config[0].Gateway')
	export WHITELISTED
	docker-compose up -d
fi

docker-compose.yml:

version: "3.2"
services:
  zero:
    image: dgraph/dgraph:v20.07.0
    volumes:
      - "./dgraph:/dgraph"
    ports:
      - 5080:5080
      - 6080:6080
    restart: on-failure
    command: dgraph zero --my=zero:5080

  alpha:
    image: dgraph/dgraph:v20.07.0
    volumes:
      - "./dgraph:/dgraph"
    ports:
      - 8080:8080
      - 9080:9080
    restart: on-failure
    command: dgraph alpha --whitelist="${WHITELISTED}" --my=alpha:7080 --lru_mb=2048 --zero=zero:5080

  ratel:
    image: dgraph/dgraph:v20.07.0
    ports:
      - 8000:8000
    command: dgraph-ratel

networks:
  default:
    external:
      name: dgraph_dev
1 Like
2

This is useful knowledge for the community so I have made the post a wiki.

3

The syntax has changed, it is now like written here in the docs.

dgraph alpha --security whitelist=172.17.0.0:172.20.0.0,192.168.1.1 ...

It is also possible to configure the network in the compose file to use a static range and whitelist its gateway, which is the first address in the range. That saves the need of using a bash script like shown in this post.

services:
  alpha:
    image: dgraph/dgraph
    ports:
      - 8080:8080
      - 9080:9080
    command: dgraph alpha --security "whitelist=172.178.242.1;" ...

networks:
  default:
    ipam:
      driver: default
      config:
        - subnet: 172.178.242.0/24
        # the gateway will be 172.178.242.1
        # hence its whitelisted on alpha

If It’s not feasible, the command in the bash script can be improved by removing the dependency on jq and using dockers built in --format flag to get the IP with go template syntax. For example creating the network and getting its gateway IP as one liner.

DGRAPH_GATEWAY=$(docker network inspect $(docker network create dgraph) \
    --format '{{(index .IPAM.Config 0).Gateway}}')